Version 1.16. This version is no longer supported. For information about how to upgrade to version 1.28, seeUpgrade clustersin the latest documentation. For more information about supported and unsupported versions, see theVersioningpage in the latest documentation.
There are several Kubernetes releases that have deprecated and removed APIs. If
you upgrade a Google Distributed Cloud cluster to a new Kubernetes version, and
your workloads use any APIs that have been removed, your workloads can be
disrupted. Follow the steps in this document to determine whether your workloads
use any of the removed APIs for a given Kubernetes version before you upgrade
your cluster.
The following steps require that your Google Distributed Cloud clusters have
clusteraudit loggingenabled and that
audit logs are streamed toGoogle Cloud Observability, which is the
default behavior.
To determine if the Kubernetes Service Accounts you use make calls to any
deleted APIs, run the supplied query inLogs Explorer:
In the Google Cloud console, go to theLogs Explorerpage in theLoggingmenu.
CLUSTER_NAME: the name of the cluster that contains
the workloads that you're checking.
PROJECT_ID: the ID of the Google Cloud project that
your cluster uses for logs and metrics (clusterOperations.projectID).
KUBERNETES_MINOR_VERSION: the minor Kubernetes
version, such as 1.25, that has removed APIs.
The output from this query shows if any of your Kubernetes Service Accounts
make calls to API that have been removed for the given Kubernetes minor
release.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eUpgrading Google Distributed Cloud clusters to new Kubernetes versions can disrupt workloads if they use removed APIs.\u003c/p\u003e\n"],["\u003cp\u003eBefore upgrading, you should determine if your workloads are using any of the removed APIs for the target Kubernetes version.\u003c/p\u003e\n"],["\u003cp\u003eTo check for removed API usage, cluster audit logging must be enabled and audit logs must be streamed to Google Cloud Observability.\u003c/p\u003e\n"],["\u003cp\u003eYou can use a specific query in Logs Explorer to identify if any Kubernetes Service Accounts are making calls to deleted APIs.\u003c/p\u003e\n"]]],[],null,["# Detect removed Kubernetes APIs\n\n\u003cbr /\u003e\n\nThere are several Kubernetes releases that have deprecated and removed APIs. If\nyou upgrade a Google Distributed Cloud cluster to a new Kubernetes version, and\nyour workloads use any APIs that have been removed, your workloads can be\ndisrupted. Follow the steps in this document to determine whether your workloads\nuse any of the removed APIs for a given Kubernetes version before you upgrade\nyour cluster.\n\nFor a list of removed APIs by Kubernetes release, see [Deprecated API Migration\nGuide](https://kubernetes.io/docs/reference/using-api/deprecation-guide/) in the\nKubernetes documentation.\n\nDetermine if the API deletion affects you\n-----------------------------------------\n\nThe following steps require that your Google Distributed Cloud clusters have\ncluster [audit logging](/anthos/clusters/docs/bare-metal/1.16/how-to/audit-logging) enabled and that\naudit logs are streamed to [Google Cloud Observability](/stackdriver/docs), which is the\ndefault behavior.\n\nTo determine if the Kubernetes Service Accounts you use make calls to any\ndeleted APIs, run the supplied query in\n[Logs Explorer](/logging/docs/view/logs-explorer-interface):\n\n1. In the Google Cloud console, go to the **Logs Explorer** page in the\n **Logging** menu.\n\n [Go to Logs Explorer](https://console.cloud.google.com/logs/query)\n2. In the **Query** field, enter the following query:\n\n resource.labels.cluster_name = \"\u003cvar label=\"name of the cluster\" translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e\" AND\n logName = \"projects/\u003cvar label=\"the project ID\" translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e/logs/externalaudit.googleapis.com%2Factivity\" AND\n protoPayload.authenticationInfo.principalEmail:(\"system:serviceaccount\" OR \"@\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:kube-system:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:cert-manager:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-kubeadm-bootstrap-system:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-kubeadm-bootstrap-system-webhook:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-system:\") AND\n protoPayload.authenticationInfo.principalEmail!~(\"system:serviceaccount:capi-system-webhook:\") AND\n labels.\"k8s.io/removed-release\"=\"\u003cvar label=\"k8s minor version\" translate=\"no\"\u003eKUBERNETES_MINOR_VERSION\u003c/var\u003e\"\n\n Replace the following:\n - \u003cvar translate=\"no\"\u003eCLUSTER_NAME\u003c/var\u003e: the name of the cluster that contains\n the workloads that you're checking.\n\n - \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e: the ID of the Google Cloud project that\n your cluster uses for logs and metrics (`clusterOperations.projectID`).\n\n - \u003cvar translate=\"no\"\u003eKUBERNETES_MINOR_VERSION\u003c/var\u003e: the minor Kubernetes\n version, such as 1.25, that has removed APIs.\n\n The output from this query shows if any of your Kubernetes Service Accounts\n make calls to API that have been removed for the given Kubernetes minor\n release."]]
